Le 29/10/2014 19:35, Moritz Mühlenhoff a écrit : > Given that dealing with 6/7 in wheezy is already problematic enough, > having again two versions again in jessie is not feasible.
I've been around for only one year so I may not have a good overview of the security issues with Tomcat, but from my experience the security fixes are thoroughly documented by the upstream developers [1][2][3] and backporting the patches isn't very difficult. I admit the backporting can become more tedious as the code base ages, that's why I was suggesting the last time we discussed this topic that we do point release upgrades in stable. Starting with Tomcat 7 the behavior of the server is verified by an extensive test suite, so this operation is unlikely to cause severe regressions. For example, if we ship Tomcat 8.0.14 in Jessie, we start by backporting the security fixes, and one year later we upgrade it to the current 8.0.x version in testing (we pick a version that has been long enough in testing to build confidence in its stability). I think that's a good compromise between stability, security and maintainability. What do you think? Emmanuel Bourg [1] http://tomcat.apache.org/security-6.html [2] http://tomcat.apache.org/security-7.html [3] http://tomcat.apache.org/security-8.html -- To UNSUBSCRIBE, email to debian-java-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/545161b7.7040...@apache.org
